Armada Collective DDoS threats were fake, but still scored thousands of dollars

A group of would-be cybercriminals sent empty DDoS attack threats to several sites and online services demanding ransoms to the tune of thousands of dollars.

The group claimed to be the shadowy hacker organization Armada Collective, the same group that allegedly carried out a DDoS campaign on Protonmail last year. However, Cloudflare has called out theses DDoS threats as fake.

“To date, we’ve not seen a single attack launched against a threatened organization,” said CEO Matthew Prince. Cloudflare compared its notes with other DDoS mitigation and security firms, he said, and found the same thing.

While the threats were fake, the extortion was not. Chainanalysis told Cloudflare that it found that many sites did indeed pay up to avoid the perceived threats of a DDoS attack, and the bitcoin address associated with the email threats received up to $100,000 in transactions.

Many of the email threats to services like BlackVPN and SCRYPTmail looked very similar. Prince pointed out that this was one of the flaws in the plan. As the extortion money is demanded in bitcoin, which is for the most part anonymous, there was no way for “Armada Collective” to determine which sites had actually paid and who shouldn’t be DDoS’d.

Coupled with the lack of actual attacks that occurred, Cloudflare deduced that these were all empty threats. Most likely the unknown group was piggy-backing off the reputation that the other Armada Collective had built for carrying out DDoS attacks. That group hasn’t been active since November of last year.

Now that same group of pretenders, according to Cloudflare, has supposedly adopted the mantle of Lizard Squad, another hacker group that was most infamous for attacking PlayStation and Xbox networks.

Cloudflare’s Justin Paine notes that these latest DDoS threats appear very similar and even reuse the same bitcoin address. Once again, no attacks have been recorded.

“Similar to the group claiming to be the ‘Armada Collective’, there is a general consensus within the security community that this group claiming to be the ‘Lizard Squad’ is not in fact actually the group they claim to be,” Paine said. “This is another copycat.”

A group of would-be cybercriminals sent empty DDoS attack threats to several sites and online services demanding ransoms to the tune of thousands of dollars.

The group claimed to be the shadowy hacker organization Armada Collective, the same group that allegedly carried out a DDoS campaign on Protonmail last year. However, Cloudflare has called out theses DDoS threats as fake.

“To date, we’ve not seen a single attack launched against a threatened organization,” said CEO Matthew Prince. Cloudflare compared its notes with other DDoS mitigation and security firms, he said, and found the same thing.

While the threats were fake, the extortion was not. Chainanalysis told Cloudflare that it found that many sites did indeed pay up to avoid the perceived threats of a DDoS attack, and the bitcoin address associated with the email threats received up to $100,000 in transactions.

Many of the email threats to services like BlackVPN and SCRYPTmail looked very similar. Prince pointed out that this was one of the flaws in the plan. As the extortion money is demanded in bitcoin, which is for the most part anonymous, there was no way for “Armada Collective” to determine which sites had actually paid and who shouldn’t be DDoS’d.

Coupled with the lack of actual attacks that occurred, Cloudflare deduced that these were all empty threats. Most likely the unknown group was piggy-backing off the reputation that the other Armada Collective had built for carrying out DDoS attacks. That group hasn’t been active since November of last year.

Now that same group of pretenders, according to Cloudflare, has supposedly adopted the mantle of Lizard Squad, another hacker group that was most infamous for attacking PlayStation and Xbox networks.

Cloudflare’s Justin Paine notes that these latest DDoS threats appear very similar and even reuse the same bitcoin address. Once again, no attacks have been recorded.

“Similar to the group claiming to be the ‘Armada Collective’, there is a general consensus within the security community that this group claiming to be the ‘Lizard Squad’ is not in fact actually the group they claim to be,” Paine said. “This is another copycat.”